Security

Vultisig prioritizes security through open-source transparency, professional audits, and responsible disclosure practices.

Security Model

Vultisig's security is built on threshold signature schemes (TSS), eliminating single points of failure:

• No single private key: Keys are never constructed; vault shares create signatures collaboratively

• Distributed trust: Compromising one device does not compromise funds

• Open source: All code publicly auditable on GitHub

For technical details, see Security & Technology.

Audits

TSS Library (mobile-tss-lib)

The core TSS library has been audited by:

DKLS23 Implementation

The upgraded DKLS23 protocol (via Silence Laboratories):

Application Audits

Mobile and desktop application security assessments are conducted regularly. Reports are published upon completion.

Bug Bounty

Vultisig operates a responsible disclosure program for security researchers.

Scope

• Vultisig mobile applications (iOS, Android)

• Vultisig desktop applications (macOS, Windows, Linux)

• Vultisig browser extension

• TSS library (mobile-tss-lib)

• Backend infrastructure

Rewards

Bounties are determined based on severity:

Reporting

Report vulnerabilities to: [email protected]

Include:

• Detailed description of the vulnerability

• Steps to reproduce

• Potential impact assessment

• Your suggested fix (optional)

Do not publicly disclose vulnerabilities before they are addressed.

Security Best Practices

For Users

1. Backup vault shares to secure, offline storage

2. Verify addresses before signing transactions

3. Keep apps updated for latest security patches

4. Use Secure Vault for significant holdings

5. Never share vault shares or backup files

What Vultisig Cannot Do

• Access your funds

• Recover lost vault shares

• Reverse blockchain transactions

• View your private keys (they never exist)

Related

• Security & Technology — Technical documentation

• Emergency Recovery — Fund recovery if software unavailable

• Privacy Policy — Data handling practices